b'         U.S. Department of Energy\n         Office of Inspector General\n         Office of Audits & Inspections\n\n\n\n\nAudit Report\n\nFollow-up Audit of the Department\'s\nCyber Security Incident Management\nProgram\n\n\n\n\nDOE/IG-0878                       December 2012\n\x0c                                  Department of Energy\n                                    Washington, DC 20585\n                                       December 11, 2012\n\n\nMEMORANDUM FOR THE SECRETARY\n\n\nFROM:                    Gregory H. Friedman\n                         Inspector General\n\nSUBJECT:                 INFORMATION: Audit Report on "Follow-up Audit of the\n                         Department\'s Cyber Security Incident Management Program"\n\nINTRODUCTION AND OBJECTIVE\n\nThe Department of Energy operates numerous networks and systems to help accomplish its\nstrategic missions in the areas of energy, defense, science and the environment. The systems\nare frequently subjected to sophisticated cyber attacks that could impact the Department\'s\nability to carry out its mission. According to recent testimony on cyber security threats\nimpacting the Nation, the Government Accountability Office noted that the number of cyber\nsecurity incidents reported by Federal agencies increased by nearly 680 percent from Fiscal\nYears 2006 to 2011. These incidents included unauthorized access to systems, improper use of\ncomputing resources and the installation of malicious software. Between October 2009 and\nMarch 2012, the Department reported over 2,300 cyber security incidents.\n\nThe Federal Information Security Management Act of 2002 requires each agency to implement\nprocedures for detecting, reporting and responding to cyber security incidents, including\nnotifying and consulting with the Federal information security incident center, law enforcement\nagencies and Inspectors General. To meet this requirement and counter the threat posed by\ncyber attacks, the Department\'s Office of the Chief Information Officer, the National Nuclear\nSecurity Administration and a number of field sites established organizations to provide\nexpertise in preventing, detecting, responding to and recovering from cyber security incidents.\nIn 2008, the Office of Inspector General reported in The Department\'s Cyber Security Incident\nManagement Program (DOE/IG-0787, January 2008) that the Department and NNSA\nestablished and maintained a number of independent, at least partially duplicative, cyber security\nincident management capabilities. Management concurred with the recommendations in our\nreport, and the Department and NNSA agreed to establish a joint incident management\noperation. Because cyber incidents have the potential to severely hinder the Department\'s ability\nto perform its mission and can require costly recovery efforts, we initiated this audit to\ndetermine whether the Department had implemented an effective enterprise-wide cyber security\nincident management program.\n\nRESULTS OF AUDIT\n\nAlthough certain actions had been taken in response to our prior report, we identified several\nissues that limited the efficiency and effectiveness of the Department\'s cyber security incident\n\x0cmanagement program and adversely impacted the ability of law enforcement to investigate\nincidents. In particular, we noted that the Department and NNSA:\n\n   \xe2\x80\xa2 Continued to operate independent, partially duplicative cyber security incident\n     management capabilities at an annual cost of more than $30 million. In particular, at\n     the time of our audit, the Department\'s Joint Cybersecurity Coordination Center (JC3)\n     provided response and advisory services and maintained capabilities supporting\n     computer forensics and assistance in investigating and preserving cyber evidence.\n     However, we identified at least two other organizations that provided similar\n     capabilities; and,\n\n   \xe2\x80\xa2 Cyber security incidents were not consistently identified and/or reported to JC3 or\n     other organizations, as required. Specifically, sites had not always reported cyber\n     incidents in a timely manner. Our audit found that 91 of 223 (41 percent)\n     reported incidents at 7 sites had not been reported within established timeframes.\n     For example, contrary to Department policy, 10 incidents involving a loss of\n     personally identifiable information, potentially affecting 109 individuals, were\n     reported up to 15 hours after discovery. Additionally, sites failed to provide all\n     information necessary for JC3 to properly respond to incidents or report all\n     incidents to the cognizant law enforcement agencies.\n\nThe issues identified were due, in part, to the lack of a unified, Department-wide cyber security\nincident management strategy. For instance, despite our prior recommendations, the\nDepartment and NNSA had been unable to establish an integrated strategy for incident\nmanagement. In addition, changes to the Department\'s Incident Management policy and\nguidance may have adversely impacted overall incident management and response by law\nenforcement and counterintelligence officials. Specifically, sites did not always report cyber\nsecurity incidents because updated policy and reporting instructions lacked detail and were\nsubject to interpretation. Also, we found that incident reporting to law enforcement was not\nalways timely or complete, which hindered investigations into events. In the absence of an\neffective enterprise-wide cyber security incident management program, a decentralized and\nfragmented approach has evolved that places the Department\'s information systems and\nnetworks at increased risk. In addition, continued operation of independent capabilities could\nhinder the Department\'s ability to maintain an effective incident management program and\nresult in unnecessary expenditures. For example, the fragmentation of cyber security incident\nresponse centers could limit the exchange of needed information and delay decision-making in\nresponse to security incidents.\n\nNotably, programs and sites reviewed had taken steps related to preventing and/or detecting\ncyber security incidents. In particular, sites utilized a variety of tools to detect and block threats.\nIn addition, sites were actively researching emerging threats and preparing defense postures\nagainst future attacks. Also, in preliminary comments to our report, management stated that the\nDepartment was in the process of building an enterprise-wide incident management strategy that\nwould include all Departmental elements. These are positive actions; however, to help improve\ncyber-related communication and coordination, we made several recommendations that, if\n\n\n                                                   2\n\x0cimplemented, should help the Department develop an enterprise-wide cyber security strategy\nand enhance the security of its information systems.\n\nMANAGEMENT REACTION\n\nManagement concurred with the report\'s recommendations and indicated that it had initiated\nactions to address issues identified in our report. In separate comments, NNSA concurred with\nthe report\'s recommendations and provided intended corrective actions. Management\'s\ncomments are included in Appendix 3.\n\nAttachment\n\ncc:   Deputy Secretary\n      Acting Under Secretary of Energy\n      Acting Under Secretary for Science\n      Administrator, National Nuclear Security Administration\n      Chief Information Officer\n      Chief of Staff\n      Chief Health, Safety and Security Officer\n\n\n\n\n                                               3\n\x0cREPORT ON FOLLOW-UP AUDIT OF THE DEPARTMENT\'S CYBER\nSECURITY INCIDENT MANAGEMENT PROGRAM\n\n\nTABLE OF\nCONTENTS\n\n\nManaging Cyber Security Incident Response\n\nDetails of Finding ............................................................................................................................1\n\nRecommendations ............................................................................................................................7\n\nComments ........................................................................................................................................8\n\n\nAppendices\n\n1. Objective, Scope and Methodology ...........................................................................................9\n\n2. Prior Reports ............................................................................................................................11\n\n3. Management Comments ..........................................................................................................12\n\x0cFOLLOW-UP AUDIT OF THE DEPARTMENT\'S CYBER SECURITY\nINCIDENT MANAGEMENT PROGRAM\n\nMANAGING CYBER      The Department of Energy (Department or DOE) and the\nSECURITY INCIDENT   National Nuclear Security Administration (NNSA) had not\nRESPONSE            developed and deployed an effective and/or efficient enterprise-\n                    wide cyber security incident management program. In particular,\n                    we found that a number of independent, partially-duplicative cyber\n                    security incident management capabilities continued to operate at\n                    various locations. This issue echoes the findings in our 2008\n                    report on The Department\'s Cyber Security Incident Management\n                    Program (DOE/IG-0787, January 2008). In addition,\n                    organizations had not always appropriately reported successful\n                    incidents such as infection by malicious code and potential\n                    disclosure of personally identifiable information (PII).\n\n                            Cyber Security Incident Management Capabilities\n\n                    The Department and NNSA continued to operate independent,\n                    partially duplicative cyber security incident management\n                    capabilities. In particular, at the time of our audit, the\n                    Department\'s Joint Cybersecurity Coordination Center (JC3) \xe2\x80\x93\n                    managed by the Office of the Chief Information Officer (OCIO)\n                    and reportedly funded at approximately $9.8 million in Fiscal Year\n                    (FY) 2012 \xe2\x80\x93 provided monitoring, response and advisory services,\n                    including capabilities for computer forensics and assistance in\n                    investigating and preserving cyber evidence. Despite these\n                    capabilities, NNSA and other programs continued to operate other\n                    independent, at least partially duplicative, capabilities.\n                    Specifically, we identified at least two additional entities spending\n                    more than $20 million annually. For example:\n\n                       \xe2\x80\xa2   NNSA\'s Information Assurance Response Center (IARC),\n                           funded at approximately $15.5 million in FY 2012,\n                           provided monitoring services for the Enterprise Secure\n                           Network in addition to the unclassified networks at nearly\n                           all NNSA sites. In addition, at the time of our fieldwork,\n                           IARC monitored one non-NNSA site and was in the final\n                           stages of implementing monitoring services for another;\n\n                       \xe2\x80\xa2   NNSA\'s IARC and various sites also operated independent\n                           cyber forensics capabilities. At two sites visited, personnel\n                           stated that they developed their own capabilities because\n                           they believed they could more quickly respond to cyber\n                           incidents rather than waiting on assistance from the OCIO\'s\n                           Cyber Forensics Laboratory (CFL); and,\n\n                       \xe2\x80\xa2   The Cooperative Protection Program (CPP), a joint effort\n                           by the OCIO and the Office of Counterintelligence, which\n\nPage 1                                                               Details of Finding\n\x0c                was funded at approximately $4.8 million according to\n                program officials, maintained external network sensors to\n                detect and deter hostile activity directed against the\n                Department\'s information technology (IT) assets. The JC3\n                analyzed the data collected by the CPP and communicated\n                the results to Headquarters and field sites. IARC, however,\n                duplicated a certain portion of this functionality by\n                deploying network sensors at various sites to monitor\n                network traffic. IARC officials stated they deployed their\n                own sensors, both internal and external to the Department\'s\n                networks, because the CPP infrastructure generally did not\n                deploy sensors inside the network firewalls that could\n                capture data related to insider threat. We noted, however,\n                that IARC did not take advantage of CPP\'s external\n                network sensors that were already in place, and, NNSA\'s\n                Los Alamos National Laboratory (LANL) and Sandia\n                National Laboratories \xe2\x80\x93 California (SNL-CA) \xe2\x80\x93 were\n                utilizing CPP\'s sensors rather than IARC\'s. In addition,\n                while most sites throughout the Department utilized the\n                CPP program, participation was voluntary and potentially\n                prevented the Department from acquiring a complex-wide\n                perspective of network traffic and attack patterns. In\n                preliminary comments to our report, management stated\n                that it planned to assess the functionality of both CPP and\n                IARC sensors in an effort to reduce redundancy.\n\n         In addition to these multi-site capabilities, a number of field sites\n         had developed site-specific cyber analysis capabilities. For\n         example, the Pacific Northwest National Laboratory and LANL\n         each maintained their own extensive cyber analysis capabilities.\n         While we recognize that sites should maintain some level of cyber\n         analysis capability, the duplication of effort across the complex\n         may have resulted in additional funds being spent rather than\n         utilizing existing resources. Although specific funding amounts\n         for site-level capabilities were likely significant, costs could not be\n         determined because the costs were not tracked by all the sites.\n         This lack of information also limited the Department\'s ability to\n         determine the return on investment of operating various\n         capabilities.\n\n         Due in part to our prior audit on The Department\'s Cyber Security\n         Incident Management Program, a joint incident management\n         operation \xe2\x80\x93 the DOE Cyber Incident Response Capability (DOE-\n         CIRC) \xe2\x80\x93 became operational in October 2008. However, despite a\n         Memorandum of Understanding between the Department and\n         NNSA, and as noted in this report, disparate functions continued to\n         exist. The Department\'s own assessment of its incident\n\n\nPage 2                                                      Details of Finding\n\x0c         management capabilities following a particularly severe incident in\n         2011 identified, among other things, the fragmentation of the\n         Department\'s and NNSA\'s cyber security incident response centers\n         and duplicative and/or deficient channels of communications and\n         notification. As a result, the Department\'s Information\n         Management Governance Council (IMGC) and the Deputy\n         Secretary approved the concept to expand JC3 \xe2\x80\x93 the successor\n         organization to DOE-CIRC \xe2\x80\x93 to include NNSA and other cyber\n         security functions across the Department. This action was\n         intended to consolidate disparate functions and streamline\n         information sharing.\n\n         Although the JC3 strategy was to be implemented by the end of FY\n         2011, that goal was not achieved due to a variety of issues. For\n         instance, the Department and NNSA had not identified existing\n         capabilities and how they would be integrated. Also, the\n         governance structure of JC3, including roles and responsibilities,\n         had not been determined. Additionally, a project management\n         strategy, including a project plan, performance metrics and budget\n         had not been developed. At the time our fieldwork concluded,\n         efforts were still underway to fully implement JC3.\n\n                                 Incident Reporting\n\n         Cyber security incidents were not consistently identified and/or\n         reported to JC3 or other organizations such as the Office of\n         Inspector General (OIG). Specifically, incidents, either suspected\n         or confirmed, were not always reported to JC3 in a timely manner\n         even though JC3 guidelines established clear timeframes for\n         reporting. In some cases, even when incidents were reported\n         within the required timeframe, information was omitted from the\n         report, or updated reports were not communicated to law\n         enforcement organizations, hindering their ability to make\n         informed decisions regarding the need for investigation. Finally,\n         information related to reported incidents was not always provided\n         to the proper law enforcement organizations as required by the\n         Federal Information Security Management Act of 2002 (FISMA).\n         In particular:\n\n            \xe2\x80\xa2   Sites did not always report cyber security incidents to JC3\n                in a timely manner. While reporting timeframes for\n                incidents were clearly defined in the JC3 reporting\n                procedures, we found most sites reviewed did not always\n                comply with these timeframes. Specifically, our review of\n                223 reported incidents at 7 sites revealed that 91 (41\n                percent) had not been reported within the established\n                timeframes. Although required to be reported within 45\n\nPage 3                                                   Details of Finding\n\x0c                             minutes, we noted 10 incidents involving PII potentially\n                             affecting 109 individuals at 3 sites that, in some cases, had\n                             been reported up to 15 hours beyond the prescribed\n                             timeframe. We also found instances of malware infections\n                             and system compromises that had not been reported in a\n                             timely manner;\n\n                         \xe2\x80\xa2   Incident reports did not always contain essential elements.\n                             In particular, the reports reviewed frequently did not\n                             contain information such as the date or time the incident\n                             occurred, security category and/or the number of machines\n                             affected. As a consequence, information provided to law\n                             enforcement and the United States Computer Emergency\n                             Readiness Team (US-CERT) was incomplete, and the\n                             information necessary for analyzing the nature or origin of\n                             various exploits was not always available for analysis; and,\n\n                         \xe2\x80\xa2   Incident reporting to law enforcement was not timely or\n                             complete, which hindered investigations into the events.\n                             We found one incident involving a system compromise that\n                             was reported to JC3 in October 2011 but was not reported\n                             to law enforcement until December 2011. In another case,\n                             the Savannah River Site reported an incident to JC3, but\n                             JC3 did not accurately report the severity of the incident to\n                             law enforcement officials, including the number of\n                             machines affected. Therefore, law enforcement\n                             organizations did not have the data necessary to make a\n                             timely, informed decision as to whether an investigation\n                             was warranted.\n\nManagement of Cyber   The issues identified were due, in part, to the lack of a coordinated\nSecurity Incidents    and unified Department-wide cyber security incident management\n                      strategy. In addition, changes to the Department\'s incident\n                      management policy and guidance may have adversely impacted\n                      overall incident management including response by law\n                      enforcement and counterintelligence officials.\n\n                                        Incident Management Strategy\n\n                      Despite our prior recommendation, the Department and NNSA had\n                      been unable to establish an integrated strategy for incident\n                      management. The lack of a unified approach and the increasing\n                      number of cyber security incidents led various Department\n                      elements to develop their own, sometimes duplicative capabilities.\n                      In addition, the Department\'s current approach was not consistent\n                      with FISMA or National Institute of Standards and Technology\n                      guidance that required agencies to develop a comprehensive plan\n\nPage 4                                                                 Details of Finding\n\x0c         for a well-coordinated and integrated solution for capturing,\n         analyzing and disseminating aggregate cyber incident information\n         across the complex. Specifically, Department management had not\n         determined which cyber security incident capabilities best\n         provided specific services or which, if any, could be consolidated\n         with others to offer more effective overall response and reporting.\n         For example, NNSA officials stated that they had already\n         implemented a monitoring capability that was scalable and could\n         be expanded Department-wide. Department officials commented,\n         however, that they were skeptical of the ability to scale and expand\n         this capability. Furthermore, Department officials had not\n         developed the strategy and related documentation necessary for\n         successful implementation of JC3, including important elements\n         such as a memorandum of understanding, project execution plan\n         and project budget.\n\n                     Incident Management Policy and Guidance\n\n         In response to our prior recommendation to develop and\n         implement policy and guidance supporting the program, the OCIO\n         published Department Manual 205.1-8, Cyber Security Incident\n         Management Manual, which provided enterprise-wide\n         requirements for incident identification, categorization,\n         containment, reporting and mitigation. The Manual also\n         established DOE-CIRC, the predecessor organization to JC3, as the\n         Department\'s consolidated incident management entity. However,\n         the Manual was cancelled in May 2011, just over 2 years after its\n         approval, and replaced with Department Order 205.1B,\n         Department of Energy Cyber Security Program, which provided\n         more general guidance that could adversely impact overall incident\n         management and response by the Department, law enforcement\n         and counterintelligence officials. Our review of Department Order\n         205.1B noted that it did not address many incident management\n         practices required by the cancelled Manual, including:\n\n            \xe2\x80\xa2   Outlining a structured process for disseminating\n                information regarding sophisticated and coordinated cyber\n                attacks;\n\n            \xe2\x80\xa2   Establishing a structured process for a coordinated response\n                to cyber attacks that impacted multiple program offices and\n                sites;\n\n            \xe2\x80\xa2   Establishing clearly defined purposes, roles or\n                responsibilities for JC3 \xe2\x80\x93 the organization designated as the\n                Department\'s central point of contact for cyber incident\n                management;\n\nPage 5                                                   Details of Finding\n\x0c                           \xe2\x80\xa2   Providing roles or coordination requirements for other\n                               existing capabilities such as the CFL, IARC, CPP and\n                               various site-specific capabilities; and,\n\n                           \xe2\x80\xa2   Specifically requiring JC3 to report certain cyber security\n                               incidents to law enforcement authorities such as the OIG,\n                               Federal Bureau of Investigation and investigative\n                               authorities.\n\n                       In addition, the reporting instructions developed by JC3 lacked\n                       detail and were subject to interpretation as to the definition of a\n                       reportable incident, which contributed to problems we identified\n                       related to reporting. In particular, sites were inconsistent when\n                       making determinations as to what constituted a reportable incident.\n                       Specifically, we determined that 31 of 148 (21 percent) incidents\n                       reviewed at 7 sites were not reported to JC3, as required. For\n                       example, most sites did not report incidents that were identified by\n                       internal monitoring devices, resulting in possible missed\n                       opportunities to strengthen the overall security awareness of other\n                       sites within the Department. Further, while the reporting\n                       instructions stated that all instances of loss, stolen or missing IT\n                       resources, including media that contained Sensitive Unclassified\n                       Information (SUI) or national security information were to be\n                       reported, some sites did not report items that were encrypted\n                       because officials believed there was no risk of information loss. In\n                       light of the issues identified, we believe that adopting a more\n                       rigorous approach to incident management could result in\n                       enhanced monitoring and response capabilities.\n\nInformation Systems    In the absence of an effective enterprise-wide cyber security\nand Networks at Risk   incident management program, a decentralized and fragmented\n                       approach evolved that placed the Department\'s information\n                       systems and networks at increased risk of compromise. The\n                       Department\'s current reporting and cyber incident management\n                       structure also increases the risk that it will be unable to satisfy both\n                       internal and external response and reporting requirements.\n\n                       In addition, continued operation of independent capabilities could\n                       hinder the Department\'s ability to report all unauthorized system\n                       activity quickly and accurately. Furthermore, the Department\'s\n                       ability to ensure that each of its components have established\n                       processes for timely and accurate reporting to JC3 and its reporting\n                       to US-CERT and, where appropriate, to law enforcement or\n                       counterintelligence authorities, may be negatively impacted.\n\n\n\n\nPage 6                                                                    Details of Finding\n\x0c                  While current efforts to establish the JC3 as an integrated,\n                  Department-wide capability are commendable, it is uncertain that\n                  the desired outcomes will be achieved in a timely manner. During\n                  our audit, plans for JC3 went through numerous iterations with\n                  disagreements from programs and organizations regarding how the\n                  capability should be structured and managed. While it appeared\n                  that the IMGC was working towards an agreement, we continue to\n                  stress the importance of a formal structured coordination of\n                  processes and procedures that includes both Headquarters and field\n                  sites, to enable the Department to respond quickly and effectively\n                  to future sophisticated attacks.\n\nRECOMMENDATIONS   To improve the Department\'s enterprise-wide cyber security\n                  strategy and enhance the security of its information systems, we\n                  recommend that the Under Secretary for Nuclear Security, the\n                  Acting Under Secretary of Energy and the Acting Under Secretary\n                  for Science, in coordination with the Department\'s and the\n                  National Nuclear Security Administration\'s Chief Information\n                  Officers:\n\n                       1. Develop and implement an enterprise-wide cyber security\n                          incident management strategy that:\n\n                             a) Establishes clearly defined lines of authority,\n                                responsibility and accountability among the\n                                various capabilities; promotes a coordinated\n                                approach for preventing, detecting, responding\n                                to and recovering from cyber security events;\n                                and, enforces prompt and complete notification\n                                of reportable incidents to include relevant law\n                                enforcement and counterintelligence officials;\n\n                             b) Requires all Departmental elements, including\n                                NNSA, to contribute to a unified and consistent\n                                cyber security incident management program\n                                that ensures timely and appropriate response\n                                activities, and continuity of operations; and,\n\n                             c) Leverages the use of existing capabilities and\n                                resources and eliminates unnecessary\n                                duplication, where appropriate.\n\n                       2. Develop and implement policy to provide detailed\n                          enterprise-wide requirements for identification,\n                          categorization, containment, reporting and mitigation of\n                          cyber security incidents.\n\n\n\nPage 7                                                          Recommendations\n\x0cMANAGEMENT         Department and NNSA management concurred with each of the\nREACTION           report\'s recommendations and indicated that corrective actions\n                   would be taken to address the issues identified. Department\n                   management stated that it was in the process of transforming its\n                   incident management program, including the design and\n                   development of JC3. In addition, management noted that several\n                   enterprise incident management improvements had been made\n                   including the enhanced ability to share information across the\n                   complex. NNSA management commented that it was responsible\n                   for the development, operation and coordination of implementation\n                   of an enterprise-wide cyber security incident management program\n                   that will address the recommendations.\n\nAUDITOR COMMENTS   Management\'s comments and planned corrective actions are\n                   responsive to our recommendations. Management\'s comments are\n                   included in their entirety in Appendix 3.\n\n\n\n\nPage 8                                                                  Comments\n\x0cAppendix 1\n\nOBJECTIVE     To determine whether the Department of Energy (Department) had\n              implemented an effective enterprise-wide cyber security incident\n              management program.\n\nSCOPE         We conducted the audit from November 2011 to December 2012,\n              at Headquarters offices in Washington, DC; the Lawrence\n              Livermore National Laboratory in Livermore, California;\n              Lawrence Berkeley National Laboratory in Berkeley, California;\n              Pacific Northwest National Laboratory in Richland, Washington;\n              Richland Operations Office in Richland, Washington; Savannah\n              River Site in Aiken, South Carolina; Los Alamos National\n              Laboratory in Los Alamos, New Mexico; and, the National\n              Nuclear Security Administration\'s Information Assurance\n              Response Center facility in Las Vegas, Nevada.\n\nMETHODOLOGY   To accomplish the audit objective, we:\n\n                   \xe2\x80\xa2   Reviewed the current status of the Department\'s\n                       enterprise incident management capabilities;\n\n                   \xe2\x80\xa2   Analyzed documentation and logs to determine whether\n                       cyber incidents were reported to the Department of\n                       Energy Cyber Incident Response Capability/Joint\n                       Cybersecurity Coordination Center, the Information\n                       Assurance Response Center and the United States\n                       Computer Emergency Readiness Team in a timely\n                       manner and within established Federal and Department\n                       timeframes;\n\n                   \xe2\x80\xa2   Determined whether training was adequate for system\n                       administrators and employees to identify when an\n                       incident was to be reported;\n\n                   \xe2\x80\xa2   Reviewed Intrusion Detection System configurations to\n                       ensure that the configuarations were fully enabled and all\n                       traffic was being reviewed;\n\n                   \xe2\x80\xa2   Reviewed a sample of incident report supporting\n                       documentation to determine whether the documentation\n                       was appropriately detailed and specific; and,\n\n                   \xe2\x80\xa2   Evaluated the status of prior audit recommendations.\n\n              We conducted this performance audit in accordance with generally\n              accepted Government auditing standards. Those standards require\n              that we plan and perform the audit to obtain sufficient, appropriate\n              evidence to provide a reasonable basis for our findings and\n\n\nPage 9                                     Objective, Scope and Methodology\n\x0cAppendix 1 (continued)\n\n                    conclusions based on our audit objectives. We believe that the\n                    evidence obtained provides a reasonable basis for our findings and\n                    conclusions based on our audit objectives. Accordingly, we\n                    assessed significant internal controls and the Department\'s\n                    implementation of the GPRA Modernization Act of 2010 and\n                    determined that while certain timeframes for reporting incidents\n                    had been established, it had not established performance measures\n                    for cyber security incident management. Because our review was\n                    limited, it would not have necessarily disclosed all internal control\n                    deficiencies that may have existed at the time of our evaluation.\n                    We did not rely on computer-processed data to satisfy our audit\n                    objectives.\n\n                    Department and NNSA management waived an exit conference.\n\n\n\n\nPage 10                                          Objective, Scope and Methodology\n\x0cAppendix 2\n\n                                    PRIOR REPORTS\n\n  \xe2\x80\xa2 Evaluation Report on The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2009\n    (DOE/IG-0828, October 2009). The Department of Energy (Department) continued to\n    make incremental improvements in its unclassified cyber security program including the\n    centralized incident response organization designed to eliminate duplicative efforts\n    throughout the Department. However, coordination between the Office of the Chief\n    Information Officer and the National Nuclear Security Administration needed\n    improvement. The problems identified occurred, at least in part, because certain cyber\n    security roles and responsibilities had not been clearly delineated.\n\n  \xe2\x80\xa2 Evaluation Report on The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2008\n    (DOE/IG-0801, September 2008). While various sites had taken action to address\n    weaknesses previously identified in the Fiscal Year 2007 evaluation, additional action is\n    required to further enhance the Department\'s unclassified cyber security program and\n    help reduce risks to its systems and data. Specifically, actions to address cyber incident\n    response issues and to eliminate duplicative incident response capabilities had been\n    initiated but were not yet complete. Individual program and cyber incident response\n    organizations were not required to adhere to a coordinated/common approach for incident\n    reporting. As a consequence, incident reports reaching the Department\'s Computer\n    Incident Advisory Capability lacked essential elements for reporting to law enforcement\n    and subsequent analysis for trending. Also, in the event of a multi-site cyber attack on\n    the Department\'s networks and systems, this reporting environment made it difficult for\n    the Department to develop a coordinated response.\n\n  \xe2\x80\xa2 Audit Report on The Department\'s Cyber Security Incident Management Program\n    (DOE/IG-0787, January 2008). The report identified issues that could limit the efficiency\n    and effectiveness of the Department\'s program and could adversely impact investigations\n    by law enforcement or counterintelligence officials. Specifically, the audit identified that\n    program elements and facility contractors had established and operated as many as eight\n    independent cyber security intrusion and analysis organizations whose missions and\n    functions we found to be, at least partially, duplicative and not well coordinated. Also,\n    the Department had not adequately addressed issues through policy changes, even though\n    it had identified and acknowledged weaknesses in its cyber security incident management\n    and response program. Many of the issues observed were attributable to the lack of a\n    unified, Department-wide cyber incident response strategy.\n\n\n\n\nPage 11                                                                          Prior Reports\n\x0cAppendix 3\n\n             MANAGEMENT COMMENTS\n\n\n\n\nPage 12                            Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 13                  Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 14                  Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 15                  Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 16                  Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 17                  Management Comments\n\x0c                                                                    IG Report No. DOE/IG-0878\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\' requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if applicable to you:\n\n     1.   What additional background information about the selection, scheduling, scope, or\n          procedures of the audit or inspection would have been helpful to the reader in\n          understanding this report?\n\n     2.   What additional information related to findings and recommendations could have been\n          included in the report to assist management in implementing corrective actions?\n\n     3.   What format, stylistic, or organizational changes might have made this report\'s overall\n          message more clear to the reader?\n\n     4.   What additional actions could the Office of Inspector General have taken on the issues\n          discussed in this report that would have been helpful?\n\n     5.   Please include your name and telephone number so that we may contact you should\n          we have any questions about your comments.\n\nName                                          Date\n\nTelephone                                     Organization\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact our office at (202) 253-2162.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n              U.S. Department of Energy Office of Inspector General Home Page\n                                    http://energy.gov/ig\n\n  Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'